Acasă Explorează Ajutor
Înregistrare Autentificare
AFS
/
infrastructure-notes
2
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: 24b7c357f4
Ramuri Etichete
infrastructure-...
/
ALSI (Cribl LogStream) Notes.md

ALSI (Cribl LogStream) Notes.md 3.1 KB
Istoric Crud

WORK IN PROGRESS

Aggregated Log Source Ingestion a.k.a. ALSI (Cribl LogStream) Notes

Create Okta (OIDC) Application

Follow the instructions from docs.cribl.io to create the Okta application.

Prerequisites:

  • The Leader/Master ALB URL for the Web UI

You may be thinking, "What is the URL? I have not created it yet." and you are correct. Fortunately, we have a standard naming convention so it should be simple to enter the correct value (the value doesn't have to be correct right now, for what it is worth).

Example: https://<customer>-alsi.pvt.accenturefederalcyber.com

The base URL will be required in two places with URL suffixes found in the documentation. You can also compare against existing Cribl Stream Okta applications.

Whether or not you assign roles/users/etc. is not required at this point. We add the app to Okta first in order to get two strings to add to Salt.

Copy the Okta client ID and client secret. You will add them to the customer's pillar variables file as described below.

Add Cribl Pillars to Customer Variables SLS

Add the mdr_wildcard_cert pillars to Salt's pillar/top.sls for the ALSI instances.

# pillar/top.sls
---
### Find the customer's section and add
'<customer>-alsi-*':
  - mdr_wildcard_cert
### etc. etc.
...

Enable GPG

Add #!jinja|yaml|gpg to the top of the customer variables SLS file if it is not present.

Copy the cribl pillars from an existing customer such as Moose (moose_variables.sls) to the customer's variables file.

Replace all encrypted values except the admin_password with the appropriate GPG-encrypted blocks.

{% if grains['id'].startswith('bas-alsi-') %}
cribl:
  privatekey_path: "/opt/cribl/pki/privatekey.pem"
  certificate_path: "/opt/cribl/pki/cert.pem"
  license:
  hec_token:
  admin_password: |
    -----BEGIN PGP MESSAGE-----

    Value removed
    -----END PGP MESSAGE-----
  okta_client_id:
  okta_client_secret:
{% endif %} {# If alsi #}

:information_source: See the GnuPG (gpg) Notes document for instructions on how to GPG-encrypt the various values.

Creating the Cribl Infrastructure for a Customer

Copy the 175-splunk-alsi directory from an existing customer (or test Moose) to the customer's directory in the xdr-terraform-live repository.

cp -a ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-bas/175-splunk-alsi ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-<customer>/

Create Worker nodes

To create one or more worker nodes along with the leader, modify xdr-terraform-modules/base/splunk_servers/alsi/config.sls and set the number of workers as an exception, using the account name found in account.hcl.

  # If cribl is being used for log ingestion, remember to turn on splunk_private_hec
  # in `splunk_servers/indexer_cluster/config.tf`, too.
  alsi_workers_default = 0 # how many cribl workers
  alsi_workers_exceptions = {
    afs-mdr-test-c2-gov = 2,
    mdr-prod-bas        = 2,
  }

If the customer requires public ELBs for HEC, enable those in config.tf as well.